VulnerableCode Package Details - pkg:npm/url-parse@1.5.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-91bh-dzjq-xbev Aliases: CVE-2022-0686 GHSA-hgjh-723h-mx2j	Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.	1.5.8 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-c1dy-p3tz-dbcs Aliases: CVE-2022-0691 GHSA-jf5r-8hm2-f872	url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. Leading control characters in a URL are not stripped when passed into url-parse. This can cause input URLs to be mistakenly be interpreted as a relative URL without a hostname and protocol, while the WHATWG URL parser will trim control characters and treat it as an absolute URL. If url-parse is used in security decisions involving the hostname / protocol, and the input URL is used in a client which uses the WHATWG URL parser, the decision may be incorrect. This can also lead to a cross-site scripting (XSS) vulnerability if url-parse is used to check for the javascript: protocol in URLs. See following example: ```js const parse = require('url-parse') const express = require('express') const app = express() const port = 3000 url = parse(\"\\bjavascript:alert(1)\") console.log(url) app.get('/', (req, res) => { if (url.protocol !== \"javascript:\") {res.send(\"<a href=\\'\" + url.href + \"\\'>CLICK ME!</a>\")} }) app.listen(port, () => { console.log(`Example app listening on port ${port}`) }) ```	1.5.9 Affected by 0 other vulnerabilities.
VCID-rxnd-sf2e-aqcg Aliases: CVE-2022-0512 GHSA-rqff-837h-mm52	Authorization bypass in url-parse Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.	1.5.6 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-yqx2-x5zq-7qhv Aliases: CVE-2022-0639 GHSA-8v38-pw62-9cw2	url-parse Incorrectly parses URLs that include an '@' A specially crafted URL with an '@' sign but empty user info and no hostname, when parsed with url-parse, url-parse will return the incorrect href. In particular, ```js parse(\"http://@/127.0.0.1\") ``` Will return: ```yaml { slashes: true, protocol: 'http:', hash: '', query: '', pathname: '/127.0.0.1', auth: '', host: '', port: '', hostname: '', password: '', username: '', origin: 'null', href: 'http:///127.0.0.1' } ``` If the 'hostname' or 'origin' attributes of the output from url-parse are used in security decisions and the final 'href' attribute of the output is then used to make a request, the decision may be incorrect.	1.5.7 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-91bh-dzjq-xbev
Aliases:
CVE-2022-0686
GHSA-hgjh-723h-mx2j

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

1.5.8
Affected by 1 other vulnerability.

VCID-c1dy-p3tz-dbcs
Aliases:
CVE-2022-0691
GHSA-jf5r-8hm2-f872

url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. Leading control characters in a URL are not stripped when passed into url-parse. This can cause input URLs to be mistakenly be interpreted as a relative URL without a hostname and protocol, while the WHATWG URL parser will trim control characters and treat it as an absolute URL. If url-parse is used in security decisions involving the hostname / protocol, and the input URL is used in a client which uses the WHATWG URL parser, the decision may be incorrect. This can also lead to a cross-site scripting (XSS) vulnerability if url-parse is used to check for the javascript: protocol in URLs. See following example: ```js const parse = require('url-parse') const express = require('express') const app = express() const port = 3000 url = parse(\"\\bjavascript:alert(1)\") console.log(url) app.get('/', (req, res) => { if (url.protocol !== \"javascript:\") {res.send(\"<a href=\\'\" + url.href + \"\\'>CLICK ME!</a>\")} }) app.listen(port, () => { console.log(`Example app listening on port ${port}`) }) ```

1.5.9
Affected by 0 other vulnerabilities.

VCID-rxnd-sf2e-aqcg
Aliases:
CVE-2022-0512
GHSA-rqff-837h-mm52

Authorization bypass in url-parse Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

1.5.6
Affected by 3 other vulnerabilities.

VCID-yqx2-x5zq-7qhv
Aliases:
CVE-2022-0639
GHSA-8v38-pw62-9cw2

url-parse Incorrectly parses URLs that include an '@' A specially crafted URL with an '@' sign but empty user info and no hostname, when parsed with url-parse, url-parse will return the incorrect href. In particular, ```js parse(\"http://@/127.0.0.1\") ``` Will return: ```yaml { slashes: true, protocol: 'http:', hash: '', query: '', pathname: '/127.0.0.1', auth: '', host: '', port: '', hostname: '', password: '', username: '', origin: 'null', href: 'http:///127.0.0.1' } ``` If the 'hostname' or 'origin' attributes of the output from url-parse are used in security decisions and the final 'href' attribute of the output is then used to make a request, the decision may be incorrect.

1.5.7
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-ukj6-rn9c-b7ap	Open redirect in url-parse Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.	CVE-2021-3664 GHSA-hh27-ffr2-f2jc

Vulnerability

Summary

Aliases

VCID-ukj6-rn9c-b7ap

Open redirect in url-parse Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

CVE-2021-3664
GHSA-hh27-ffr2-f2jc

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T01:31:03.279659+00:00	GitLab Importer	Affected by	VCID-c1dy-p3tz-dbcs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/url-parse/CVE-2022-0691.yml	38.6.0
2026-06-06T01:30:52.599001+00:00	GitLab Importer	Affected by	VCID-91bh-dzjq-xbev	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/url-parse/CVE-2022-0686.yml	38.6.0
2026-06-06T01:30:42.369812+00:00	GitLab Importer	Affected by	VCID-yqx2-x5zq-7qhv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/url-parse/CVE-2022-0639.yml	38.6.0
2026-06-06T01:29:56.437008+00:00	GitLab Importer	Affected by	VCID-rxnd-sf2e-aqcg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/url-parse/CVE-2022-0512.yml	38.6.0
2026-06-04T17:29:20.303596+00:00	GithubOSV Importer	Fixing	VCID-ukj6-rn9c-b7ap	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-hh27-ffr2-f2jc/GHSA-hh27-ffr2-f2jc.json	38.6.0
2026-06-02T04:39:36.148233+00:00	GitLab Importer	Fixing	VCID-ukj6-rn9c-b7ap	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/url-parse/CVE-2021-3664.yml	38.6.0